CNIL (France) - SAN-2021-022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2021-022 |ECLI= |Origin...") |
m (→Facts) |
||
Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
A company selling furniture with its main establishment in France undertook an investigation by the French DPA. The | A company selling furniture with its main establishment in France undertook an investigation by the French DPA. The investigation was performed both online and on-site. It revealed that the company had no data retention procedures in place, and that personal data was not regularly deleted or archived. The investigation also revealed that the company did not provide its customers with information about the legal basis for processing, nor about the data retention period. Lastly, the investigation revealed that customer accounts belonging to data subjects who had requested data erasure, had in fact not been deleted but instead simply deactivated. | ||
The French DPA, acting as lead supervisory authority, sent a draft order to the other supervisory authorities involved. The Berlin supervisory authority objected in accordance with | The French DPA, acting as lead supervisory authority, sent a draft order to the other supervisory authorities involved. The Berlin supervisory authority objected in accordance with [[Article 60 GDPR|article 60(4) GDPR]] and requested that the draft order be turned into a draft penalty, and more specifically an administrative fine. The furniture company contested this objection, arguing that the company had very few sales in Germany. | ||
=== Holding === | === Holding === | ||
The French DPA first held that the Berlin DPA's objections to the draft decision had been | The French DPA first held that the Berlin DPA's objections to the draft decision had been reasonable, and that the number of sales in Germany was irrelevant under Chapter VII GDPR. The French DPA amended its original draft to a draft penalty. | ||
The French DPA subsequently held that the lack of an implemented data retention procedure constituted a breach of article 5(1) GDPR. The lack of information about the date retention procedures provided in the online store | The French DPA subsequently held that the lack of an implemented data retention procedure constituted a breach of [[Article 5 GDPR|article 5(1) GDPR]]. The lack of information about the legal basis date retention procedures provided in the online store constituted a breach of [[article 13 GDPR]]. The DPA noted that the link between these two breaches did not prevent them from being sanctioned as separate breaches. | ||
The DPA furthermore held that the obligation to comply with requests for erasure under article 17 GDPR had been breached. | The DPA furthermore held that the obligation to comply with requests for erasure under [[article 17 GDPR]] had been breached. | ||
The DPA imposed an administrative fine of EUR 120,000. | The DPA imposed an administrative fine of EUR 120,000. |
Latest revision as of 10:16, 10 July 2022
CNIL - SAN-2021-022 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 5(1) GDPR Article 13(2) GDPR Article 60 GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 30.12.2021 |
Published: | |
Fine: | 120000 EUR |
Parties: | n/a |
National Case Number/Name: | SAN-2021-022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | EDPB (in EN) |
Initial Contributor: | n/a |
The French DPA fines company for lack of data retention procedures, lack of information in privacy policy and non-compliance with data erasure requests.
English Summary
Facts
A company selling furniture with its main establishment in France undertook an investigation by the French DPA. The investigation was performed both online and on-site. It revealed that the company had no data retention procedures in place, and that personal data was not regularly deleted or archived. The investigation also revealed that the company did not provide its customers with information about the legal basis for processing, nor about the data retention period. Lastly, the investigation revealed that customer accounts belonging to data subjects who had requested data erasure, had in fact not been deleted but instead simply deactivated.
The French DPA, acting as lead supervisory authority, sent a draft order to the other supervisory authorities involved. The Berlin supervisory authority objected in accordance with article 60(4) GDPR and requested that the draft order be turned into a draft penalty, and more specifically an administrative fine. The furniture company contested this objection, arguing that the company had very few sales in Germany.
Holding
The French DPA first held that the Berlin DPA's objections to the draft decision had been reasonable, and that the number of sales in Germany was irrelevant under Chapter VII GDPR. The French DPA amended its original draft to a draft penalty.
The French DPA subsequently held that the lack of an implemented data retention procedure constituted a breach of article 5(1) GDPR. The lack of information about the legal basis date retention procedures provided in the online store constituted a breach of article 13 GDPR. The DPA noted that the link between these two breaches did not prevent them from being sanctioned as separate breaches.
The DPA furthermore held that the obligation to comply with requests for erasure under article 17 GDPR had been breached.
The DPA imposed an administrative fine of EUR 120,000.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Decision of the Restricted Committee No.SAN-2021-022 of 30 December 2021 concerning The Commission Nationale de l’Informatique et des Libertés (CNIL - the French Data Protection Authority), met in its Restricted Committee consisting of , Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data; Having regard to the French Data Protection Act No. 78-17 of 6 January 1978, in particular articles 20 et seq.; Having regard to Decree No. 2019-536 of 29 May 2019 implementing Act No. 78-17 of 6 January 1978 on data protection; Having regardto Decision No. 2013-175 of 4 July2013 adoptingthe internal rules of procedure of the CNIL; Having regard to Decision No. 2019-084C of 24 April 2019 of the CNIL Chairman to instruct the secretary general to carry out or have a third party carry out a task to verify the processing implemented by that organisation or on behalf of ; Having regard to the decision of CNIL’s Chairman appointing a rapporteur before the Restricted Committee of 12 April 2021; Having regard to the report of , commissioner and rapporteur, notified to on 9 July 2021; Having regard to the written observations made by on 3 September 2021; Having regard to the other documents in the file; The following were present at the Restricted Committee session on 16 September 2021: - , commissioner, his report having been read; As representatives of : - - - - with addressing the session last. The Restricted Committee adopted the following decision: I. Facts and proceedings, 1. (hereinafter “the company”) is a public limited company with a Board of Directors and with share capital of located at Its main activity is the sale of furniture on the Internet and in store. 2. started its business in 2007 and has approximately employees. In 2020, it generated turnover of with a net loss of . 3. markets its products in France and several European Union countries from the website“ ” (hereinafter “the website”). It alsohas twostores inFranceowned by its subsidiary, 4. Pursuant to Decision No. 2019-084C dated 24 April 2019 of the Chairman of the Commission nationale de l’informatique et des libertés (hereinafter “CNIL” or “the Authority”), a CNIL team carried out an online investigation into the processing accessible from the domain on 9 May 2019, and an on-site investigation at on 5 June 2019. The purpose of these investigations was to verify the company’s compliance with all the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the Regulation” or “GDPR”) and with amended Act No. 78-17 of 6 January 1978 on data protection (hereinafter “the amended Act of 6 January 1978” or “the French Data Protection Act”). 5. In particular, the investigations focused on the processing of personal data of the company’s customers and prospective customers. The checks performed concerned the retention periods of the personal data, the information brought to the attention of the data subjects concerning the processing carried out by the company, compliance with data subjects’ requests for erasure of their data, the obligation to provide a legal act for the processing operations carried out on behalf of the data controller as well as the obligation to ensure data security. 6. At the end of the checks, report no. 2019-084/1 and no. 2019-084/2 were notified to in two letters dated 15 May and 11 June 2019. The company sent the Authority the additional documents requested at the end of the investigation by email on 12 June 2019. 7. By email of 22 August 2019, the company sent the investigation team several additional documents, relating in particular to the change in the company’s name, the privacy policy displayed in store or in emails sent at the time of the creation of a user account. 8. As the investigations establishedthe cross-border nature of the processing concerned, the CNIL informed all European supervisory authorities on 1 July 2020, in accordance with Article 56 of the GDPR, of its competence to act as lead supervisory authority. Seven authorities declared themselves involved in this procedure, within the meaning of Article 4 (22) of the GDPR. 9. On 5 October 2020, the CNIL Chairman submitted a draft order to the seven authorities concerned. Following this communication, the Berlin authority raised a relevant and reasoned, objection within the meaning of Article 60 of the GDPR, requesting that the draft order be transformed into a draft penalty, and more specifically an administrative fine. In support of this request, the authority concerned pointed out, in particular, the number of data subjects and the duration of the violations. 10. In order to examine these elements, the Authority’s Chairman appointed as rapporteur on 12 April 2021, pursuant to Article 39 of Decree No. 2019-536 of 29 May 2019 implementing the amended Act of 6 January 1978 (hereinafter the “Decree of 29 May 2019”). 11. At the end of his investigation, on 7 July2021, the rapporteur sent a report detailing the breaches of the GDPR that he considered to have occurred in this case and indicating to the companythat,inviewofthesummerbreak,it hadanadditionalperiodtothe onemonthinitially provided for in which to submit its written observations pursuant to the provisions of Article 40 of the Decree of 29 May 2019. It was also given a letter informing it that the case file was on the agenda of the Restricted Committee of 16 September 2021. 12. This report proposed to the Authority’s Restricted Committee to impose an injunction to make the processingcompliant with theprovisions ofArticles 5(1)(e),13, 17, 28and32 of the GDPR, accompanied by a penalty per day of delay at the end of a three-month period following notification of the Restricted Committee’s decision, as well as an administrative fine. It also proposed that this decision be made public and that the company no longer be identifiable by name upon expiry of a two-year period following its publication. 13. On 3 September 2021, the company submitted observations through its counsel. 14. The company and the rapporteur presented oral observations at the Restricted Committee’s session. II. Reasons for the decision 15. According to Article 56(1) of the Regulation “the supervisory authority of the main establishment or sole establishment of the controller or processor shall be competent to act as lead supervisory authority regarding the cross-border processing carried out by that controller or processor, in accordance with the procedure laid down in Article 60”. 16. In this case, the Restricted Committee found, firstly, that the company’s registered office has been in France since the creation of the company in 2007, that the company has been entered in the Trade and Companies Register in France since its inception and that it does not have any other establishment in the EU. 17. It follows from the above that the CNIL is competent to act as the lead supervisory authority for the cross-border processingimplemented bythis company, in accordance with Article 56(1) of the Regulation., 18. In accordance with the cooperation and consistency mechanism provided for in Chapter VII of the GDPR, on 1 July 2020, CNIL informed all European supervisory authorities of its competence to act as the lead supervisory authority concerning the cross-border processing carried out by the company, thus opening the notification procedure for the relevant authorities in this case. 19. The supervisory authorities of the following countries were affected by this procedure: Germany, Belgium, Spain, Italy, Luxembourg and the Netherlands. 20. Pursuant to Article 60(5) of the GDPR, the revised draft decision adopted by the restricted formation was transmitted to these supervisory authorities on 15 December 2021. 21. On 29 December 2021, none of the supervisory authorities concerned had raised any relevant and reasoned objections to the draft decision, so that, pursuant to Article 60(6) of the GDPR, they are deemed to have approved it. A. Regarding the proceedings 22. In defence, the company contests the objection made by the Berlin supervisory authority to the CNIL’s draft order, by which the authority requested the company be given an administrative fine. The company considers that it should have been the subject of an order, as initially proposed by the CNIL, and not penalty proceedings before the Restricted Committee. 23. In particular, the company expresses its surprise at the importance given to Berlin’s objection, while the sales made bythe companyin Germany only represented 3.7% of its turnover in 2020 with a German customer base of 11,168 customers. 24. The Restricted Committee notes first of all that, as part of the cooperation process set up by the GDPR, all supervisory authorities concerned within the meaning of Article 4(22) of the GDPR may issue relevant and reasoned objections to the draft decision submitted to them by the lead supervisory authority. It is then the responsibility of the lead supervisory authority to decide whether to uphold or reject the objections made, which was done in this case by the CNIL’s Chairman, in accordance with the provisions of Article 52 of Decree No. 2019-536 of 29 May 2019. 25. The Restricted Committee then notes that the criteria for determining whether a supervisory authority is concerned are set out in Article 4(22) of the GDPR and that, therefore, the turnover of a company in a Member State of the European Union or the number of customers concerned are irrelevant, provided that these criteria are met, which is the case here. 26. In addition, while indicating that the assessment of the follow-up given to the objection made by Berlin’s supervisoryauthoritywas the responsibilityof the CNIL’s Chairman, the Restricted Committee emphasises that this objection was part of the cooperation and consistency mechanism provided for in Chapter VII of the GDPR intended to ensure harmonisation of the implementation of this regulation, in particular regarding the application of supervisory authorities’ enforcement policy.,27. Finally, the RestrictedCommitteenotes that,with regardtotheobjectionrelatingto the absence of a prior order, the Conseil d’Etat ruled (EC, 9 October 2020, SERGIC, no. 433311) that it “clearly emerges [from the provisions of Article 20 of the amended Act of 6 January 1978], that the imposition of a penalty by the CNIL’s Restricted Committee is not subject to CNIL’s Chairman giving the data controller or its data processor a prior order. […]”. 28. In light of these elements, the Restricted Committee considers that the CNIL has complied with the procedure applicable under the national provisions and the GDPR. B. Regarding the breach of the obligation to specify and comply with a personal data retention period in proportion to the purpose of the processing in accordance with Article 5(1)(e) of the GDPR 29. According to Article 5(1)(e) of the Regulation, personal data must be “kept in a form which permits identificationofdata subjects for nolongerthanis necessary for thepurposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (“storage limitation”)”. 30. The rapporteur noted that during the on-site investigation of 5 June 2019, the company had indicated to the investigation team that no retention period for personal data of customers (who are according to the company the persons who have created an account and placed an order) or prospective customers (who are according to the company the persons who contact in order to obtain information on the products and services offered and who subscribe to the newsletter) had been determined or implemented by the company. The company also informed the investigation team that it did not carry out any regular deletion or archiving of such data at the end of a defined period, thereby retaining it in an active database, while its processing was no longer necessary in view of the purpose for which it was initially collected. 31. In defence, in its observations of 3 September 2021, the company firstly argued that a data retention period policy applicable to customers and prospective customers was defined from the on-site investigation on 5 June 2019, so that it could not be accused of any breach under the definition of retention periods. However, it admits that at the time of the investigation there was no functionality to determine the date of a user’s or prospective user’s last activity on their account and that this element was therefore not taken into account. 32. The company also indicated that the data of customers and prospective customers used for the purposes of marketing or managing their account was now stored in the active database until their account is deleted or, in the event of inactivity, for three years from the last time they signed into their account, their last contact with the company or their last order online or in store. At the end of those periods, the company specified that only the data necessary for pre- litigation or litigation purposes is retained and archived until the date corresponding to the statutory time limit justifying their retention, after which they would be deleted.,33. According to the Restricted Committee, with regard to the definition of retention periods applicable to the data of s customers and prospective customers, it should first be noted that on the date of the investigation of 5 June 2019, the company indicated to the investigation team that it had not determined and implemented any retention period for the personal data of customers and prospective customers. 34. The Restricted Committee then notes that the investigation team observed the presence, in an active database, of personal data of 550,645 customer accounts created since the start of the business in 2007. The company informed the investigation team that it kept in a database the personal data for 310,198 user accounts created without any order having been placed for more than three years or relating to 128,712 user accounts created but not having placed an order since 2007. 35. Therefore, whereas the Restricted Committee notes that now implements retention periods, compliance with which makes it possible to comply with the provisions of Article 5(1)(e) of the GDPR – by ensuring that the data is not stored for longer than necessary in view of the purposes for which it is processed – it considers, in any event, that on the day of the investigation, the company had not defined and implemented any satisfactory retention period policy, or data deletion procedure at the end of the period for which the processing of the data was necessary and justified, or even an archiving procedure, and that it therefore kept personal data for excessive periods. 36. With regard to all of these elements, the Restricted Committee considers that the breach of Article 5(1)(e) of the GDPR is established. 37. It points out, however, that the changes made by the company during the penalty proceedings enabled its compliance with the Regulations. C. Regarding the breach of the obligation to inform individuals pursuant to Article 13 of the GDPR 38. Article 13 of the GDPR requires the data controller to provide, at the time the data is collected, informationonits identityand contact details andthat of its data protectionofficer, thepurposes and legal basis of the processing, the recipients or categories of recipients of the personal data, information on transfers of personal data where applicable, the retention period of the personal data, the rights of individuals and the right to lodge a complaint with a supervisory authority. 39. The rapporteur notes that, during the checks carried out online on 9 May 2019 and then on site on 5 June 2019, the investigation team found that the information made available to users of the website and customers, during their visit to the store, was not complete within the meaning of Article 13 of the Regulation. Certain mandatory information provided for by this Article – namely the legal bases for processing and the data retention periods – was not brought to the attention of the data subjects on the website or in store, either through the “Privacy Policy” on the website or the document entitled “Privacy and protection of personal data collected in store” placed on the store’s sales counter.,40. In its observations in defence, the company did not dispute that no information on the legal bases was made available to the data subjects in its privacy policy. However, it argued that the document entitled “Privacy and protection of personal data collected in store” placed on the store’s sales counter did not contain information on the legal bases of processing because its “purpose was togivethemain information” whilereferringtotheamendedprivacypolicymade available on the website, which constitutes additional information and is more complete. The company also argued that the lack of information related to data retention periods was only a repeat of the breach of the principle of limiting retention periods. 41. The company added that it had drafted, as part of the proceedings, a new privacy policy which now includes all the missing information, and which has been made available on the website in order to provide information that complies with the requirements of the GDPR. 42. The Restricted Committee first of all notes that, with regard to information relating to the legal bases, the company acknowledged that such information was not present in the privacy policy accessible from the website and to which the information document on data protection, located in the store, refers as stated by the investigation team. 43. The Restricted Committee also notes that, until the penalty proceedings, the data subjects were not informed of all the legal bases of the processing carried out, in breach of the provisions of Article 13 of the GDPR. 44. The Restricted Committee then notes that the investigation team found, during the investigation of 5 June 2019, that the information on retention periods was not included in the privacypolicy. The company also acknowledged this specifying that the information was incomplete due to no definition and implementation of a personal data retention period policy. 45. Under such circumstances, the Restricted Committee considers that the breach of Article 13 of the GDPR is established on this point, since the information on the retention periods is among the information that must be communicated, in that it makes it possible to guarantee fair and transparent processing of the personal data concerned. Thus, for example, information on retention periods allows data subjects to know how long the data is kept by the controller and, consequently, for how long they can exercise their right of access. 46. The Restricted Committee also considers that the link between the company’s failure to implement data retention periods and the lack of information for individuals does not prevent these two breaches existing as such. 47. In light of the above, the Restricted Committeeconsiders that the companydid not complywith the provisions of Article 13 of the GDPR. 48. The Restricted Committee nevertheless notes that, as part of the penalty proceedings, the company demonstrated having made its privacy policy compliant, which now contains the, notices concerning retention periods for the data processed and complete information on the legal bases of the processing, to which the information document displayed in store refers. D. Regarding the breach of the obligation to comply with requests to delete personal data pursuant to Article 17 of the GDPR 49. Under Article 17 of the GDPR, the data subject has the right to “obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall be obliged to erase personal data without undue delay where one of the following grounds applies: a) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1) (...) and where there is no other legal ground for the processing; c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2) (...)”. 50. The rapporteur notes that during the investigation on 5 June 2019, the investigation team was informed that when an individual requests the deletion of their account, the company deactivates the account in question, preventing the individual from logging in and blocking the sending of marketing messages. The team thus noted the presence in the database of the personal data of a customer of the company who had previously made a request by email for deletion. Access to their account had simply been disabled. 51. In defence, the company first demonstrated the deletion of the data of the customer who had exercised their right to erasure of data after the CNIL’s investigation. It then stated that it had taken various measures to improve its internal procedure for managing requests to exercise rights, by centralising the receipt of requests, by putting a form for exercising rights online andbycreatingtheemail address “dp ”,dedicatedtoquestionsaboutpersonal data and managed by the company’s data protection officer. In addition, the company indicated that it had developed a document containing letter templates for responding to requests to exercise rights, including a letter for responding to requests for erasure. 52. The Restricted Committee notes that at the time of the investigation of 5 June 2019, when a request for deletion was sent to it, the company simply deactivated the account of the data subject without deleting their personal data, namely their surname, first name, email address, postal address and telephone number, which was actually observed by the CNIL’s team during the checks. 53. However, the Restricted Committee notes that when a person requests the erasure of their personal data, the data controller or its data processor must, in principle, actually delete the data once the conditions set out in Article 17 of the GDPR are met.,54. The Restricted Committee considers that whereas, after a request for deletion, certain personal data of customers may be kept in intermediate storage for specific purposes, in particular for legal obligations or evidential purposes or when the company has an overriding legitimate ground, that which is not necessary in order to comply with such obligations or purposes must be deleted after the exercise of this right, provided that the conditions laid down in Article 17 of the GDPR are met. 55. In view of the foregoing, the Restricted Committee considers that the breach of Article 17 of the GDPR is established. 56. However, it notes that, as part of the penalty proceedings, the company has demonstrated having taken measures to ensure compliance with this regulation. E. Regarding the failure to provide a legal act for the processing operations carried out on behalf of the data controller pursuant to Article 28 of the GDPR 57. Article 28 of the Regulation provides that the processing carried out by a data processor on behalf of a controller is governed by a contract which defines the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the controller. This contract also provides for the conditions under which the data processor shall carry out the processing operations on behalf of the data controller. 58. The rapporteur notes that, regarding the relations with its processors, the company sent two quotes countersigned with whichdid not containanyof the clauses laiddown in Article 28 of the GDPR and did not provide any legal act to govern its processing relationship with . 59. In defence, the company disputes these facts, and indicates that an agreement relating to the data processing had been signed by on 17 April 2018, but that it had not been sent to the investigation team due to the inaccurate nature of its request for supporting documents made in the on-site investigation report. The company acknowledges the absence of an act to govern its relationship with . 60. The Restricted Committee notes that the data controller and the processor must enter into a contract which includes all the mandatory information laid down in Article 28 of the GDPR in order to organise their respective relationships and data protection obligations. 61. In this case, the Restricted Committee notes that the processing relationship with was governed by a legal act at the time of the investigation carried out on 5 June 2019, under the provisions of Article 28 of the GDPR. However, on the day of the investigation, the processing relationship with - which collects and records, on behalf of , customer data for the purposes of creating a customer account at the time of their visit to the store - was not governed by any legal act.,62. The Restricted Committee therefore considers that on the dayof the investigation, the breach relating to Article 28 is established as regards the processingrelationship between and due to the absence of a contract specifying in particular the data controller’s rights and obligations and the conditions under which the data processor should carry out the processing operations on behalf of the data controller. 63. It nevertheless highlights that, as part of the penalty proceedings, the company provided evidenceofaprocessingagreementsignedwith on26August 2021, which meets the requirements of Article 28 of the GDPR. F. Regarding the breach of the obligation to ensure the security of personal data pursuant to Article 32 of the GDPR 64. Under Article 32 of the GDPR: “1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; d)a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing[…]”. 65. Firstly, the rapporteur notes that at the time of the online investigation carried out on 9 May 2019, authentication when creating a customer account on the website was based on a password composed only of a single numeric character, such as “1”, without any criteria for the complexity of the password being provided. 66. In defence, the company does not dispute these facts, but maintains that the security obligation resulting from Article 32 of the GDPR is a best efforts obligation, not a performance obligation, so the controller’s security obligation is to implement measures to reduce risks to an acceptable level, without it being compulsory, or even possible, to obtain a level of security so that the risks have no effect. The company also emphasises that the assessment of compliance with the security obligation by the controller requires consideration of the impact on the data subjects and its severity according to the categories of personal data concerned by the processing. It argues that, in the course of its business, it only collected and processed standard personal data, without any serious impact for the data subjects.,67. The Restricted Committee considers that the length and complexity of a password remain basic criteria for assessing its strength. It noted in this respect that the need for a strong password is also highlighted by ANSSI. 68. For the sake of clarity, the Restricted Committee notes that in order to ensure a sufficient level of security and satisfy the password strength requirements, when authentication relies solely on an identifier and password, the CNIL recommends, in its Decision No. 2017-012 of 19 January2017, that the password have at least twelve characters - containing at least one upper-case letter, one lower-case letter, one number and one special character - or at least eight characters - containing three of these four characters - if it is accompanied by an additional measure such as, for example, the timing of access to the account after several failures (temporary suspension of access, the duration of which increases as attempts are made), setting up a mechanism to guard against automated and multiple attempts (e.g. a “captcha”) and/or locking the account after several failed login attempts. 69. Inthis case,the RestrictedCommitteeconsiders that,in viewof the rules governingpassword composition, the strength of the passwords accepted by the company - containing one single number, such as “1”, with no criteria for the complexity of the password being provided - was too weak, risking the related accounts and personal data they contain being compromised. 70. The Restricted Committeealso considers that thelackof collectionof so-calledsensitivedata by the company, which indicates only collecting identifying or contact data, does not prevent the occurrence of malicious acts such as phishing, which is mainly based on the use of accurate and directly identifying data in order to create confusion for the user who is the subject of it. 71. In these circumstances, the Restricted Committee considers that the respondent company’s password management policy was not sufficiently robust and binding to ensure data security within the meaning of Article 32 of the GDPR. 72. However, it notes that, in the course of the penalty proceedings, the company indicated that, with regard to user accounts, it now requires a strong password comprising a minimum of twelve characters, including at least one upper-case letter, one lower-case letter, one numeric character and one special character, which was corroborated by supporting documents. 73. Secondly, the rapporteur notes that the hash function used for the storage of account passwords of customers using the website was obsolete (MD5). 74. In defence, the company does not dispute these facts. 75. The Restricted Committee emphasises that since the algorithm of this hash function is obsolete and has for a long time had well-known vulnerabilities, making it liable to be easily “broken”, this hash function no longer guarantees the integrity and confidentiality of passwords in the event of a brute force attack after compromise of the servers hosting them. Thus, the use of this algorithm would allow a person with knowledge of the hashed password, to decrypt it without difficulty in a very short time (e.g. by means of freely accessible websites that allow the value corresponding to the password hash to be retrieved). 76. In these circumstances, in view of the risks incurred by the individuals mentioned above, the Restricted Committee considers that the hash function used by the company did not make it possible to guarantee the securityof the data of its 550,000 customers, within the meaning of Article 32 of the GDPR. 77. However, it notes that, as part of the penalty proceedings, the company demonstrated having implemented a satisfactory hashing function, in BCRYPT, for all customers’ account passwords. 78. Thirdly, the rapporteur notes that the company’s employees accessed the “read/write” version of ’s database via a joint account for four employees, which is not a satisfactory measure to ensure data security. 79. In defence, the company argues that the rapporteur did not take into account the complexity of the password kept secret between the four employees authorised to access the “read/write” version of the database, nor of the authentication system based on the network addresses allowing for traceability of the access and actions of these four authorised employees. 80. The Restricted Committee notes that assigning a unique identifier per user and prohibiting shared accounts are among the essential precautions to guarantee effective traceability of access to a database. It also emphasises that the use of shared access by several people does not make it possible to accurately attribute the actions carried out on the equipment in the event of simultaneous login-in, complicating for example audits of the use of the shared account. In this sense, ANSI recommends using, by default, individual administration accounts and specifies that generic accounts on the equipment should not be used, or then exceptionally and restricted to a very limited number of administrators, since only the creation of individual accounts allows for the implementation of a relevant access control and the attribution of the actions carried out by each of the administrators. 81. In this case, the sharing of the account allowing access to the “read/write” version of the database by four employees does not make it possible to guarantee proper authentication of users and, consequently, effective management of accreditations and proper traceability of access. The Restricted Committee observes that, for example, in the event of deletion or modification of data in the database, it would be complicated to attribute responsibility to one of the four authorised individuals if several of them were connected at the same time to this generic account. 82. Therefore, such a lack of traceability of access does not allow for the identification of fraudulent access or of the individual causing the deterioration or deletion of personal data. 83. In these circumstances, the Restricted Committee considers that the use of a joint account shared by four employees does not guarantee data security within the meaning of Article 32 of the GDPR.,84. It notes, however, that the company justified, during the proceedings, having set up a single sign-on system for each user from the creation of individual accounts for access to the database in order to ensure more detailed traceability of database access. 85. In view of all the above elements, the Restricted Committee considers that the breach of Article 32 of the GDPR is established. 86. However, the Restricted Committee notes that, as part of the penalty proceedings, the company has demonstrated having taken all measures to ensure compliance with this regulation. III. Regarding corrective powers and their publication 87. Under the terms of Article 20 III of the amended Act of 6 January 1978: “When the controller or its processor fails to comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this law, the chairman of the CNIL may also, if applicable, after sending the warning provided for in point I of this article or, where applicable,inadditionto anorderprovidedforinII,contacttheCNIL’sRestrictedCommittee with a view to the announcement, after adversarial proceedings, of one or more of the following measures: […] 2. An injunction to make the processing compliant with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this law or to comply with the requests made by the data subject to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, with a penalty fine not exceeding 100,000 euros per day of delay from the date fixed by the Restricted Committee; […] 7. With the exception of cases where the processing is implemented by the State, an administrative fine may not exceed 10 million euros or, in the case of a company, 2% of the total annual global turnover of the previous financial year, whichever is the greater. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of 27 April 2016, these upper limits shall be increased, respectively, to 20 million euros and 4% of the turnover. In determining the amount of the fine, the Restricted Committee shall take into account the criteria specified in the same Article 83.” 88. Article 83 of the GDPR states that “Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article in respect of infringements of this Regulation referred to in paragraphs 4, 5 and 6 shall in each individual case be effective, proportionate and dissuasive”, before specifying the elements to be taken into account when deciding whether to impose an administrative fine and when deciding on the amount of that fine. 89. Firstly, on the principle of imposing a fine, the company maintains that such a measure is not justified. The company asserts that it has complied with its legal obligations and that it, has cooperated with the CNIL in a diligent manner and in good faith since the start of the proceedings. It therefore argues that imposing an administrative fine would go against the principles of the need for penalties and proportionality. It points out in particular that it has never been penalised by the Restricted Committee, that the aforementioned breaches do not inanywayconstituteadeliberatebreachoftheGDPR,thatthedatasubjectshavenotsuffered any damage, and that no specific data referred to in Articles 9 and 10 of the GDPR is concerned. 90. The Restricted Committee notes that, in imposing an administrative fine, it must take into account the criteria specified in Article 83 of the GDPR, such as the nature, gravity and duration of the infringement, the measures taken by the controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority and the categories of personal data concerned by the infringement. 91. Firstly, the Restricted Committee notes that the company has demonstrated significant negligence with regard to the fundamental principles of the GDPR, since five breaches have been established, in particular concerning the principle of limiting the data retention period, the obligation to inform data subjects of the processing of their personal data and the obligation to respect their rights. 92. The Restricted Committee then notes that at least some breaches have been established over a period of several years and have affected a large number of people, almost 550,000 individuals, established in France and in six other Member States of the European Union. 93. The Restricted Committee also notes that, within the framework of the penalty proceedings, thecompany’scooperationwith thesupervisoryauthoritymeetstheobligationofcooperation laid down in Articles 31 of the GDPR and 18 of the Act and cannot constitute a level of cooperation exceeding that which is reasonably expected. Therefore, the company’s cooperation with the CNIL as part of the penalty proceedings cannot be considered as an extenuating circumstance when imposing an administrative fine. 94. In addition, the Restricted Committee notes that whereas the company only processes standard personal data, it is still required to implement appropriate technical and organisational measures in order to ensure a level of security for this data appropriate to the risk, in accordance with Article 32 of the GDPR and in accordance with the principles set out in Article 5 of the GDPR. 95. Finally, the Restricted Committee notes that compliance measures were only put in place by the company following the penalty proceedings and that they did not exempt it from its responsibility for the past. 96. Consequently, the Restricted Committee considers that an administrative fine should be imposed in view of the breaches of Articles 5(1)(e), 13, 17, 28 and 32 of the GDPR., 97. Secondly, with regard to the amount of the fine, the company considers that the amount of the fine proposed by the rapporteur is disproportionate in view of its economic situation. It highlights its poor financial situation and specifies that a high fine would have a significant impact on its business and economic development, particularly in terms of job creation. 98. TheRestrictedCommitteenotesthatArticle83(3) oftheRegulationprovidesthatintheevent of multiple breaches, as in the case in point, the total amount of the fine may not exceed the amount set for the most serious breach. Insofar as the company is alleged to be in breach of Articles 5(1)(e), 13, 17, 28 and 32 of the GDPR, the maximum fine that can be imposed is 20 million euros or 4% of annual worldwide turnover, whichever is higher. 99. The Restricted Committee also notes that administrative fines must be dissuasive but proportionate. In particular, it considers that the company’s activity and financial situation must be taken into account when determining the penalty and, in particular, in the case of an administrative fine, its amount. In this regard, it notes that the company reports turnover in 2019 and 2020 of approximately23 million euros, then approximately30 million euros, with a net loss of -932,078 euros and then -1.7 million euros, respectively. 100. In view of this information, the Restricted Committee considers that imposing a fine of 120,000 euros seems justified for the breaches of Articles 5(1)(e), 13, 17, 28 and 32 of the GDPR. 101. Thirdly, an injunction to make the processing compliant with the provisions of Articles 5(1)(e), 13, 17, 28 and 32 of the GDPR was proposed by the rapporteur when the report was notified. 102. The company argues that the actions it has taken in relation to all the breaches identified should lead to no further action in respect of the Rapporteur’s proposed injunction. 103. The Restricted Committee considers that the company has taken the necessary measures to ensure compliance. Consequently, the Restricted Committee considers that there are no longer grounds to impose an injunction for these points. FOR THESE REASONS The CNIL’s Restricted Committee after having deliberated, intends to: impose an administrative fine against for an amount of 120,000 (one hundred and twenty thousand) euros in respect of the breaches of Articles 5(1)(e), 13, 17, 28 and 32 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.,This decision may be appealed before the French Conseil d’Etat within two months of its notification.